How to configure the TLS cipher suite for HTTPS edge applications

HTTPS applications require additional security configurations in the form of TLS cryptography. When you configure an edge application with Azion, you can select the minimum TLS version supported and which cipher suite is used by the application.

There are separate instructions for API v3, which uses Delivery settings previously located within **Edge Application **Main Settings. On API v4, Delivery settings have been moved to the new Workloads product.

Configuring an HTTPS application

To enable the HTTPS protocol for your application:

Access Azion Console > Workloads.
Click the Workload you want to configure.
In Protocol Settings, select the HTTP and HTTPS support.

To specify the minimum TLS version and the cipher suite supported by your application, follow these steps:

In Minimum TLS version, select TLS 1.2.
Under Cipher suite, select TLSv1.2_2021.
Click the Save button.

It may take some time to propagate your changes to the edge. To verify whether your changes took place, you can inspect the https://xxxxxxxxxx.map.azionedge.net page using your browser and locate the security settings of the application. You can also run the DIG command to get more information on your security settings.

The application may still be running in TLS 1.3, since you selected the minimum version and not the exact TLS version used. However, you can check the cipher suite being used against the list of supported ciphers to verify whether the changes took place.

Access Azion Console > Edge Application.
Click the application you want to configure.
In Delivery Settings, select the HTTP and HTTPS support.

Now to specify the minimum TLS version and the cipher suite supported by your application:

In Minimum TLS version, select TLS 1.2.
Under Cipher suite, select TLSv1.2_2021.
Click the Save button.

Run the following GET request in your terminal, replacing [TOKEN VALUE] with your personal token to retrieve your <edge_application_id>:

curl --location 'https://api.azionapi.net/edge_applications --header 'Accept: application/json; version=3' --header 'Authorization: Token [TOKEN VALUE]'

You’ll receive a response with all your existing edge applications. Copy the value of the <edge_application_id> that you want to configure.
Run a PATCH request to modify the application as follows:

curl --location --request PATCH 'https://api.azionapi.net/edge_applications/<edge_application_id>' --header 'Accept: application/json; version=3' --header 'Content-Type: application/json' --header 'Authorization: Token [TOKEN VALUE]' --data '{
  "delivery_protocol": "http,https",
  "minimum_tls_version": "tls_1_2",
  "supported_ciphers": "TLSv1.2_2021"
}'

Key	Description
`delivery_protocol`	Enables the HTTP and HTTPS protocols
`minimum_tls_version`	Enum that establishes the minimum TLS version
`supported_ciphers`	Enum that sets the supported cipher suite. See the full list of list of supported ciphers for further details

You’ll receive a response similar to this:

{
  "results": {
      "id": <edge_application_id>,
      "name": "example.org",
      "delivery_protocol": "http,https",
      "http_port": [
          80,
          8008
      ],
      "https_port": [
          443
      ],
      "minimum_tls_version": "tls_1_2",
      "active": true,
      "debug_rules": false,
      "http3": false,
      "websocket": false,
      "supported_ciphers": "TLSv1.2_2021",
      "application_acceleration": true,
      "caching": true,
      "device_detection": false,
      "edge_firewall": false,
      "edge_functions": true,
      "image_optimization": false,
      "l2_caching": false,
      "load_balancer": false,
      "raw_logs": false,
      "web_application_firewall": false
  }
}

Wait a few minutes for the changes to propagate.
Check the supported cipher suite by inspecting the page or running the DIG command.

Run the following GET request in your terminal, replacing [TOKEN VALUE] with your personal token to retrieve your <workload_id>:

curl --request GET --url https://api.azion.com/v4/workspace/workloads --header 'Accept: application/json' --header 'Authorization: Token [TOKEN VALUE]'

You’ll receive a response with all your existing edge applications. Copy the value of the <workload_id> that you want to configure.
Run a PATCH request to modify the application as follows:

curl --request PATCH --url https://api.azion.com/v4/workspace/workloads/<workload_id> --header 'Accept: application/json' --header 'Authorization: Token [TOKEN VALUE]' --header 'Content-Type: application/json' --data '{
  "tls": {
    "minimum_version": "tls_1_2",
    "ciphers": 4
  },
  "protocols": {
    "http": {
      "versions": ["http1", "http2"],
      "http_ports": [80],
      "https_ports": [443]
    }
  }
}'

Key	Description
`protocols`	Enables the HTTP and HTTPS protocols
`minimum_tls_version`	Enum that establishes the minimum TLS version
`ciphers`	Enum that sets the supported cipher suite. See the full list of list of supported ciphers for further details

You’ll receive a response similar to this:

  {
    "id": <workload_id>,
    "name": "My workload",
    "active": true,
    "last_editor": "your-email@example.com",
    "last_modified": "2025-08-06T17:54:18.476043Z",
    "infrastructure": 1,
    "tls": {
      "certificate": null,
      "ciphers": 4,
      "minimum_version": "tls_1_3"
    },
    "protocols": {
      "http": {
        "versions": [
          "http1",
          "http2",
          "http3"
        ],
        "http_ports": [
          80
        ],
        "https_ports": [
          443
        ],
        "quic_ports": [
          443
        ]
      }
    },
    "mtls": {
      "verification": null,
      "certificate": null,
      "crl": null
    },
    "domains": [
      "mycooltestdomain.azion.app"
    ],
    "workload_domain_allow_access": true,
    "workload_domain": "xxxxxxxxxx.map.azionedge.net",
    "product_version": "1.0"
  },

Wait a few minutes for the changes to propagate.
Check the supported cipher suite by inspecting the page or running the DIG command.